VulnerableCode Package Details - pkg:rpm/redhat/jenkins-2-plugins@4.17.1739859908-1?arch=el9

Search for packages

Vulnerability	Summary	Fixed by
VCID-fcg2-x3s5-wudk Aliases: CVE-2024-47072 GHSA-hfq9-hggm-c56q	XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.	There are no reported fixed by versions.
VCID-g6p1-25m8-hyak Aliases: CVE-2024-47855 GHSA-wwcp-26wc-3fxm	JSON-lib mishandles an unbalanced comment string util/JSONTokener.java in JSON-lib before 3.1.0 mishandles an unbalanced comment string.	There are no reported fixed by versions.
VCID-napj-3e58-nqav Aliases: CVE-2024-52550 GHSA-mrpr-vr82-x88r	Rebuilding a run with revoked script approval allowed by Jenkins Pipeline: Groovy Plugin Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main (Jenkinsfile) script for a rebuilt build is approved, allowing attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to rebuild a previous build whose (Jenkinsfile) script is no longer approved. Pipeline: Groovy Plugin 3993.v3e20a_37282f8 refuses to rebuild a build whose main (Jenkinsfile) script is unapproved.	There are no reported fixed by versions.
VCID-rx46-cr1m-uuge Aliases: CVE-2024-52549 GHSA-jv82-75fh-23r7	Missing permission check in Jenkins Script Security Plugin Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system. This allows attackers with Overall/Read permission to check for the existence of files on the controller file system. Script Security Plugin 1368.vb_b_402e3547e7 requires Overall/Administer permission for the affected form validation method.	There are no reported fixed by versions.
VCID-ufjq-w47y-3qeq Aliases: CVE-2024-52551 GHSA-p2qq-c693-q53w	Restarting a run with revoked script approval allowed by Jenkins Pipeline: Declarative Plugin Jenkins Pipeline: Declarative Plugin 2.2214.vb_b_34b_2ea_9b_83 and earlier does not check whether the main (Jenkinsfile) script used to restart a build from a specific stage is approved, allowing attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. This allows attackers with Item/Build permission to restart a previous build whose (Jenkinsfile) script is no longer approved. Pipeline: Declarative Plugin 2.2218.v56d0cda_37c72 refuses to restart a build whose main (Jenkinsfile) script is unapproved.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-fcg2-x3s5-wudk
Aliases:
CVE-2024-47072
GHSA-hfq9-hggm-c56q

XStream is vulnerable to a Denial of Service attack due to stack overflow from a manipulated binary input stream ### Impact The vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. ### Patches XStream 1.4.21 detects the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. ### Workarounds The only solution is to catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. ### References See full information about the nature of the vulnerability and the steps to reproduce it in XStream's documentation for [CVE-2024-47072](https://x-stream.github.io/CVE-2024-47072.html). ### Credits Alexis Challande of Trail Of Bits found and reported the issue to XStream and provided the required information to reproduce it.